A recent investigation by Moonlock Lab has uncovered a sophisticated malware campaign targeting cryptocurrency and Web3 professionals. The attackers are using fabricated LinkedIn identities posing as venture capitalists (VCs) to lure victims into fake video conference links. The ultimate goal is to deploy malware onto victims’ devices via these links, exploiting the urgent need for professional connections and business opportunities in the crypto space. The campaign begins with attackers creating fake LinkedIn profiles, such as that of Mykhailo Hureiev, presented as the co-founder of SolidBit Capital, a fictitious VC firm.
The attackers craft personalized messages to potential victims, often referencing their professional achievements and presenting partnership opportunities in cryptocurrency or decentralized finance (DeFi). Once the target engages, the attackers direct them to schedule a video call through Calendly, which then redirects the victim to a Zoom or Google Meet link that leads to a malicious payload. This social engineering tactic exploits the professional credibility of a VC firm and the urgency of potential partnerships, leading to high engagement among targets eager to capitalize on job opportunities or investment discussions. The campaign uses the ClickFix technique, which presents the victim with a fake browser verification page (often appearing as a Cloudflare CAPTCHA) when they attempt to access the video conferencing link.
The page, while looking legitimate, contains malicious JavaScript that silently writes harmful commands to the victim’s clipboard. The malware is designed to work across macOS and Windows, with tailored payloads for each operating system. On Windows, the malware uses PowerShell scripts, while on macOS, it uses a bash one-liner that installs necessary dependencies before executing a hidden payload. Moonlock Lab’s investigation revealed that the campaign’s infrastructure is well-coordinated, using multiple fake companies, including SolidBit Capital, MegaBit, and Lumax Capital.
WHOIS data linked these domains to a registrant named Anatolli Bigdasch, located in Boston, Massachusetts, and tied to a Gmail address. This identity may either be fabricated or stolen, but it serves as the anchor for the malicious infrastructure. The campaign shares several similarities with attacks attributed to DPRK-aligned threat actors, specifically UNC1069, who have targeted the cryptocurrency sector with similar social engineering tactics. These parallels suggest a coordinated effort by financially motivated threat actors, although attribution remains inconclusive.
Leave a Reply